Skip to content

Latest commit

 

History

History
250 lines (249 loc) · 34.5 KB

TOPX(FORMERLYTWITTER).md

File metadata and controls

250 lines (249 loc) · 34.5 KB
Raw

Top reports from X (Formerly Twitter) program at HackerOne:

  1. Potential pre-auth RCE on Twitter VPN to X (Formerly Twitter) - 1190 upvotes, $20160
  2. Bypassing Digits origin validation which leads to account takeover to X (Formerly Twitter) - 592 upvotes, $0
  3. CRLF injection to X (Formerly Twitter) - 429 upvotes, $0
  4. Read-only application can publish/delete fleets to X (Formerly Twitter) - 395 upvotes, $0
  5. Blind XSS on Twitter's internal Big Data panel at █████████████ to X (Formerly Twitter) - 347 upvotes, $0
  6. Private list members disclosure via GraphQL to X (Formerly Twitter) - 327 upvotes, $0
  7. [Urgent] Invalidating OAuth2 Bearer token makes TweetDeck unavailable to X (Formerly Twitter) - 319 upvotes, $0
  8. Bypass Password Authentication for updating email and phone number - Security Vulnerability to X (Formerly Twitter) - 267 upvotes, $0
  9. Insufficient OAuth callback validation which leads to Periscope account takeover to X (Formerly Twitter) - 260 upvotes, $0
  10. XXE on sms-be-vip.twitter.com in SXMP Processor to X (Formerly Twitter) - 251 upvotes, $0
  11. Insufficient validation on Digits bridge to X (Formerly Twitter) - 251 upvotes, $0
  12. XSS and Open Redirect on MoPub Login to X (Formerly Twitter) - 233 upvotes, $1540
  13. XSS via Direct Message deeplinks to X (Formerly Twitter) - 228 upvotes, $0
  14. Stored XSS on reports. to X (Formerly Twitter) - 218 upvotes, $700
  15. Github Account hijack through broken link in developer.twitter.com to X (Formerly Twitter) - 210 upvotes, $0
  16. Periscope android app deeplink leads to CSRF in follow action to X (Formerly Twitter) - 208 upvotes, $0
  17. Account Takeover in Periscope TV to X (Formerly Twitter) - 198 upvotes, $7560
  18. XSS and cache poisoning via upload.twitter.com on ton.twitter.com to X (Formerly Twitter) - 195 upvotes, $0
  19. Discoverability by phone number/email restriction bypass to X (Formerly Twitter) - 193 upvotes, $5040
  20. Verify any unused email address to X (Formerly Twitter) - 190 upvotes, $560
  21. protected Tweet settings overwritten by other settings to X (Formerly Twitter) - 174 upvotes, $0
  22. Takeover of Twitter-owned domain at mobileapplinking.com to X (Formerly Twitter) - 157 upvotes, $0
  23. Twitter ID exposure via error-based side-channel attack to X (Formerly Twitter) - 150 upvotes, $1470
  24. url that twitter mobile site can not load to X (Formerly Twitter) - 139 upvotes, $1120
  25. character limitation bypass can lead to DoS on Twitter App and 500 Internal Server Error to X (Formerly Twitter) - 138 upvotes, $0
  26. Reflected XSS in twitterflightschool.com to X (Formerly Twitter) - 133 upvotes, $1120
  27. Highly wormable clickjacking in player card to X (Formerly Twitter) - 131 upvotes, $0
  28. Twitter Periscope Clickjacking Vulnerability to X (Formerly Twitter) - 129 upvotes, $1120
  29. Incorrect param parsing in Digits web authentication to X (Formerly Twitter) - 122 upvotes, $0
  30. XSS via referrer parameter to X (Formerly Twitter) - 121 upvotes, $0
  31. Vine all registered user Private/sensitive information disclosure .[ Ip address/phone no/email and many other informations ] to X (Formerly Twitter) - 117 upvotes, $7560
  32. Changing email address on Twitter for Android unsets "Protect your Tweets" to X (Formerly Twitter) - 116 upvotes, $2940
  33. [URGENT] Opportunity to publish tweets on any twitters account to X (Formerly Twitter) - 116 upvotes, $0
  34. IDOR and statistics leakage in Orders to X (Formerly Twitter) - 115 upvotes, $289
  35. Bypassing Digits web authentication's host validation with HPP to X (Formerly Twitter) - 104 upvotes, $0
  36. Ability to perform actions (Tweet, Retweet, DM) and other actions, unauthenticated, on any account with SMS enabled. to X (Formerly Twitter) - 99 upvotes, $0
  37. Safe Redirect Bypass to X (Formerly Twitter) - 94 upvotes, $560
  38. Blind XSS on Twitter's internal Jira panel at ████ allows exfiltration of hackers reports and other sensitive data to X (Formerly Twitter) - 94 upvotes, $0
  39. Creating malformed URLs via new line character in-between two URLs leads to misrepresented hyperlinks in Tweets/DMs to X (Formerly Twitter) - 92 upvotes, $0
  40. Attacker can get vine repost user all informations even Ip address and location . to X (Formerly Twitter) - 90 upvotes, $5040
  41. Remote Unrestricted file Creation/Deletion and Possible RCE. to X (Formerly Twitter) - 89 upvotes, $0
  42. Bypassing Digits bridge origin validation to X (Formerly Twitter) - 89 upvotes, $0
  43. Github Token Leaked publicly for https://github.com/mopub to X (Formerly Twitter) - 89 upvotes, $0
  44. Denial of Service | twitter.com & mobile.twitter.com to X (Formerly Twitter) - 86 upvotes, $1120
  45. Twitter lite(Android): Vulnerable to local file steal, Javascript injection, Open redirect to X (Formerly Twitter) - 86 upvotes, $0
  46. Html Injection and Possible XSS in sms-be-vip.twitter.com to X (Formerly Twitter) - 82 upvotes, $0
  47. [Studio.twitter.com] See someone else pics to X (Formerly Twitter) - 82 upvotes, $0
  48. Persistent DOM-based XSS in https://help.twitter.com via localStorage to X (Formerly Twitter) - 82 upvotes, $0
  49. [CRITICAL] Full account takeover using CSRF to X (Formerly Twitter) - 80 upvotes, $0
  50. Incorrect details on OAuth permissions screen allows DMs to be read without permission to X (Formerly Twitter) - 73 upvotes, $2940
  51. Multiple XSS on account settings that can hijack any users in the company. to X (Formerly Twitter) - 72 upvotes, $700
  52. Cross-Domain Leakage of X Username / UserID due to Dynamically Generated JS File to X (Formerly Twitter) - 70 upvotes, $1500
  53. [dev.twitter.com] XSS and Open Redirect to X (Formerly Twitter) - 68 upvotes, $1120
  54. Denial of Service [Chrome] to X (Formerly Twitter) - 66 upvotes, $560
  55. Multiple DOMXSS on Amplify Web Player to X (Formerly Twitter) - 66 upvotes, $0
  56. CSRF on Periscope Web OAuth authorization endpoint to X (Formerly Twitter) - 66 upvotes, $0
  57. Able to see Twitter Circle tweets due to improper access control on the "FavoriteTweet" endpoint to X (Formerly Twitter) - 65 upvotes, $0
  58. Protected tweets exposure through the URL to X (Formerly Twitter) - 64 upvotes, $560
  59. Viral Direct Message Clickjacking via link truncation leading to capture of both Google credentials & installation of malicious 3rd party Twitter App to X (Formerly Twitter) - 64 upvotes, $0
  60. Subdomain takeover of images.crossinstall.com to X (Formerly Twitter) - 63 upvotes, $0
  61. Chained open redirects and use of Ideographic Full Stop defeat Twitter's approach to blocking links to X (Formerly Twitter) - 61 upvotes, $560
  62. Blind XSS in Mobpub Marketplace Admin Production | Sentry via demand.mopub.com (User-Agent) to X (Formerly Twitter) - 61 upvotes, $0
  63. Ability to getting Twitter Blue verified badge without purchase it to X (Formerly Twitter) - 61 upvotes, $0
  64. HTTP Response Splitting (CRLF injection) in report_story to X (Formerly Twitter) - 56 upvotes, $0
  65. NO username used in authenthication to www.mopub.com leading to direct password submission which has unlimited submission rate. to X (Formerly Twitter) - 56 upvotes, $0
  66. Subdomain takeover on dev-admin.periscope.tv to X (Formerly Twitter) - 54 upvotes, $0
  67. Ability to see hidden likes to X (Formerly Twitter) - 54 upvotes, $0
  68. Periscope iOS app CSRF in follow action due to deeplink to X (Formerly Twitter) - 53 upvotes, $2940
  69. DOM based cookie bomb to X (Formerly Twitter) - 52 upvotes, $0
  70. Ability to add arbitrary images/descriptions/titles to ohter people's issues via IDOR on getrevue.co to X (Formerly Twitter) - 52 upvotes, $0
  71. Ability to bruteforce mopub account’s password due to lack of rate limitation protection using {ip rotation techniques} to X (Formerly Twitter) - 51 upvotes, $420
  72. Bypass Password Authentication to Update the Password to X (Formerly Twitter) - 51 upvotes, $0
  73. reverb.twitter.com redirects to vulnerable reverb.guru to X (Formerly Twitter) - 50 upvotes, $0
  74. DOMXSS in Tweetdeck to X (Formerly Twitter) - 50 upvotes, $0
  75. Open Redirect on https://www.twitterflightschool.com/widgets/experience?destination_url=https://evil.com to X (Formerly Twitter) - 50 upvotes, $0
  76. Stealing User emails by clickjacking cards.twitter.com/xxx/xxx to X (Formerly Twitter) - 49 upvotes, $0
  77. Tracking of users on third-party websites using the Twitter cookie, due to a flaw in authenticating image requests to X (Formerly Twitter) - 49 upvotes, $0
  78. Opportunity to obtain private tweets through search widget preview caches to X (Formerly Twitter) - 47 upvotes, $1120
  79. URGENT - Subdomain Takeover on media.vine.co due to unclaimed domain pointing to AWS to X (Formerly Twitter) - 47 upvotes, $0
  80. Bypassing callback_url validation on Digits to X (Formerly Twitter) - 47 upvotes, $0
  81. csp bypass + xss to X (Formerly Twitter) - 47 upvotes, $0
  82. View liked twits of private account via publish.twitter.com to X (Formerly Twitter) - 46 upvotes, $0
  83. Cross-site scripting (reflected) to X (Formerly Twitter) - 45 upvotes, $0
  84. [dev.twitter.com] XSS and Open Redirect Protection Bypass to X (Formerly Twitter) - 44 upvotes, $1120
  85. Periscope-all Firebase database takeover to X (Formerly Twitter) - 41 upvotes, $0
  86. Open Redirect to X (Formerly Twitter) - 40 upvotes, $0
  87. Bypass t.co link shortener in Twitter direct messages to X (Formerly Twitter) - 39 upvotes, $0
  88. niche s3 buckets are readable/writeable/deleteable by authorized AWS users to X (Formerly Twitter) - 38 upvotes, $0
  89. CSRF on cards API to X (Formerly Twitter) - 38 upvotes, $0
  90. XSS on https://app.mopub.com/reports/custom/add/ [new-d1] to X (Formerly Twitter) - 38 upvotes, $0
  91. Urgent : Unauthorised Access to Media content of all Direct messages and protected tweets(Indirect object reference) to X (Formerly Twitter) - 37 upvotes, $420
  92. [IDOR][translate.twitter.com] Opportunity to change any comment at the forum to X (Formerly Twitter) - 37 upvotes, $0
  93. Twitter iOS fails to validate server certificate and sends oauth token to X (Formerly Twitter) - 36 upvotes, $2100
  94. Wrong Interpretation of URL encoded characters, showing different punny code leads to redirection on different domain to X (Formerly Twitter) - 36 upvotes, $560
  95. CSRF on https://www.niche.co leads to "account disconnection" to X (Formerly Twitter) - 35 upvotes, $0
  96. Bypassing x profile verification to receive instant blue checkmark and unlimited profile changes to X (Formerly Twitter) - 34 upvotes, $250
  97. Listing of Amazon S3 Bucket accessible to any amazon authenticated user (metrics.pscp.tv) to X (Formerly Twitter) - 34 upvotes, $140
  98. 2 Subdomains Takeover at readfu.com to X (Formerly Twitter) - 34 upvotes, $0
  99. [staging-engineering.gnip.com] Publicly accessible GIT directory to X (Formerly Twitter) - 32 upvotes, $280
  100. Accepting error message on twitter sends you to attacker site to X (Formerly Twitter) - 31 upvotes, $0
  101. Bypass Password Authentication to Update the Password to X (Formerly Twitter) - 31 upvotes, $0
  102. Android WebViews in Twitter app are vulnerable to UXSS due to configuration and CVE-2020-6506 to X (Formerly Twitter) - 30 upvotes, $560
  103. GNIP subdomain take over to X (Formerly Twitter) - 30 upvotes, $0
  104. HTTP 401 response injection on "amp.twimg.com/amplify-web-player/prod/source.html" through "image_src" parameter to X (Formerly Twitter) - 30 upvotes, $0
  105. 暴力破解用户密码没有速率控制 to X (Formerly Twitter) - 30 upvotes, $0
  106. HTTP Response Splitting (CRLF injection) due to headers overflow to X (Formerly Twitter) - 29 upvotes, $0
  107. CRLF and XSS stored on ton.twitter.com to X (Formerly Twitter) - 28 upvotes, $1680
  108. [sms-be-vip.twitter.com] vulnerable to Jetleak to X (Formerly Twitter) - 28 upvotes, $1260
  109. Delete direct message history without access the proper conversation_id to X (Formerly Twitter) - 28 upvotes, $560
  110. Reset password without knowing current password to X (Formerly Twitter) - 28 upvotes, $0
  111. POODLE SSLv3 bug on multiple twitter smtp servers (mx3.twitter.com,199.59.148.204,199.16.156.108 and 199.59.148.204) to X (Formerly Twitter) - 27 upvotes, $0
  112. Information Exposure Through Directory Listing vulnerability on 8 vcache**.usw2.snappytv.com websites to X (Formerly Twitter) - 26 upvotes, $0
  113. Information Disclosure through .DS_Store in ██████████ to X (Formerly Twitter) - 25 upvotes, $560
  114. Twitter Media Studio Source Information Disclosure With Analyst Role to X (Formerly Twitter) - 25 upvotes, $0
  115. [Critical] - Steal OAuth Tokens to X (Formerly Twitter) - 24 upvotes, $840
  116. cookie injection allow dos attack to periscope.tv to X (Formerly Twitter) - 24 upvotes, $560
  117. Remote 0click exfiltration of Safari user's IP address to X (Formerly Twitter) - 24 upvotes, $560
  118. Open Redirect Protection Bypass to X (Formerly Twitter) - 24 upvotes, $0
  119. CORS misconfig | Account Takeover to X (Formerly Twitter) - 24 upvotes, $0
  120. Twitter for android is exposing user's location to any installed android app to X (Formerly Twitter) - 23 upvotes, $560
  121. Vine - overwrite account associated with email via android application to X (Formerly Twitter) - 23 upvotes, $280
  122. CVE-2017-15277 on Profile page to X (Formerly Twitter) - 23 upvotes, $0
  123. CSRF and probable account takeover on https://www.niche.co to X (Formerly Twitter) - 23 upvotes, $0
  124. File Upload XSS in image uploading of App in mopub to X (Formerly Twitter) - 22 upvotes, $560
  125. Identify the mobile number of a twitter user to X (Formerly Twitter) - 22 upvotes, $560
  126. The Deleted Polls is Still Accessable after 30 Days to X (Formerly Twitter) - 22 upvotes, $560
  127. [Bypass fixed #664038 and #519059] Application settings change settings that have been set by the user to X (Formerly Twitter) - 22 upvotes, $0
  128. http request smuggling in pscp.tv and periscope.tv to X (Formerly Twitter) - 21 upvotes, $560
  129. Unauthorized Access to Protected Tweets via niche.co API to X (Formerly Twitter) - 21 upvotes, $0
  130. Stored XSS in https://app.mopub.com to X (Formerly Twitter) - 21 upvotes, $0
  131. Improper session handling on web browsers to X (Formerly Twitter) - 19 upvotes, $560
  132. Link-shortener bypass (regression on fix for #1032610) to X (Formerly Twitter) - 19 upvotes, $560
  133. Sensitive Information Disclosure https://cards-dev.twitter.com to X (Formerly Twitter) - 19 upvotes, $280
  134. ms5 debug page exposing internal info (internal IPs, headers) to X (Formerly Twitter) - 19 upvotes, $280
  135. XSS on OAuth authorize/authenticate endpoint to X (Formerly Twitter) - 19 upvotes, $0
  136. Improper Host Detection During Team Up on tweetdeck.twitter.com to X (Formerly Twitter) - 19 upvotes, $0
  137. lack of input validation that can lead Denial of Service (DOS) to X (Formerly Twitter) - 18 upvotes, $560
  138. AppLovin API Key hardcoded in a Github repo to X (Formerly Twitter) - 18 upvotes, $280
  139. [██████████.gnip.com] .htpasswd disclosure to X (Formerly Twitter) - 18 upvotes, $0
  140. Twitter Source Label allow 'mongolian vowel separator' U+180E (app name) to X (Formerly Twitter) - 18 upvotes, $0
  141. Protected Tweets setting overridden by Android app to X (Formerly Twitter) - 16 upvotes, $560
  142. No Rate Limit in email leads to huge Mass mailings to X (Formerly Twitter) - 16 upvotes, $0
  143. XSS using javascript:alert(8007) to X (Formerly Twitter) - 15 upvotes, $0
  144. SSRF in https://cards-dev.twitter.com/validator to X (Formerly Twitter) - 15 upvotes, $0
  145. http request smuggling in twitter.com to X (Formerly Twitter) - 15 upvotes, $0
  146. iOS app crashed by specially crafted direct message reactions to X (Formerly Twitter) - 14 upvotes, $560
  147. xss in link items (mopub.com) to X (Formerly Twitter) - 13 upvotes, $0
  148. PI leakage By Brute Forcing and Phone number deleting without using password to X (Formerly Twitter) - 13 upvotes, $0
  149. IDOR- Activate Mopub on different organizations- steal api token- Fabric.io to X (Formerly Twitter) - 12 upvotes, $0
  150. Html Injection and Possible XSS via MathML to X (Formerly Twitter) - 12 upvotes, $0
  151. User input validation can lead to DOS to X (Formerly Twitter) - 11 upvotes, $560
  152. [Gnip Blogs] Reflected XSS via "plupload.flash.swf" component vulnerable to SOME to X (Formerly Twitter) - 11 upvotes, $0
  153. Access MoPub Reports Data even after Company removed you from their MoPub Account. to X (Formerly Twitter) - 11 upvotes, $0
  154. Add tweet to collection CSRF to X (Formerly Twitter) - 10 upvotes, $560
  155. login csrf in analytics.mopub.com to X (Formerly Twitter) - 10 upvotes, $280
  156. leaking Digits OAuth authorization to third party websites to X (Formerly Twitter) - 10 upvotes, $0
  157. Clickjacking Periscope.tv on Chrome to X (Formerly Twitter) - 10 upvotes, $0
  158. HTTPS is not validating TLS mac codes to X (Formerly Twitter) - 10 upvotes, $0
  159. [Twitter Open Source] Releases were & are built/executed/tested/released in the context of insecure/untrusted code to X (Formerly Twitter) - 9 upvotes, $280
  160. Reports Modal in app.mopub.com Disclose by any user to X (Formerly Twitter) - 8 upvotes, $280
  161. Insecure Direct Object Reference - access to other user/group DM's to X (Formerly Twitter) - 8 upvotes, $0
  162. CSRF in twitterflightschool.com ( CAN POST ON TIMELINE WITHOUT USER PERMISSION) to X (Formerly Twitter) - 8 upvotes, $0
  163. URGENT : NICHE.co Account Take Over Vulnerability to X (Formerly Twitter) - 7 upvotes, $560
  164. Profile Pic padding (Length-hiding) fails due to use of GZIP to X (Formerly Twitter) - 7 upvotes, $280
  165. Sub Domain Takeover at mk.prd.vine.co to X (Formerly Twitter) - 7 upvotes, $140
  166. Broken authentication and invalidated email address leads to account takeover to X (Formerly Twitter) - 7 upvotes, $0
  167. Fabric.io: Ex-admin of an organization can delete team members to X (Formerly Twitter) - 6 upvotes, $280
  168. Cross site scripting on ads.twitter.com to X (Formerly Twitter) - 6 upvotes, $0
  169. XSS in the "Poll" Feature on Twitter.com to X (Formerly Twitter) - 6 upvotes, $0
  170. Open Redirect leak of authenticity_token lead to full account take over. to X (Formerly Twitter) - 5 upvotes, $1400
  171. Improper Verification of email address while saving Account Settings to X (Formerly Twitter) - 5 upvotes, $560
  172. Insecure Data Storage in Vine Android App to X (Formerly Twitter) - 5 upvotes, $140
  173. Delete Credit Cards from any Twitter Account in ads.twitter.com [New Vulnerability] to X (Formerly Twitter) - 5 upvotes, $0
  174. Insecure direct object reference - have access to deleted DM's to X (Formerly Twitter) - 5 upvotes, $0
  175. Tweet Deck XSS- Persistent- Group DM name to X (Formerly Twitter) - 5 upvotes, $0
  176. XSS via Fabrico Account Name to X (Formerly Twitter) - 5 upvotes, $0
  177. XSS in twitter.com/safety/unsafe_link_warning to X (Formerly Twitter) - 4 upvotes, $1400
  178. Problem with OAuth to X (Formerly Twitter) - 4 upvotes, $1260
  179. Urgent : Disclosure of all the apps with hash ID in mopub through API request (Authentication bypass) to X (Formerly Twitter) - 4 upvotes, $280
  180. Reporting user's profile by using another people's ID to X (Formerly Twitter) - 4 upvotes, $140
  181. Notifications can mark as read by CSRF to X (Formerly Twitter) - 4 upvotes, $0
  182. HTML/XSS rendered in Android App of Crashlytics through fabric.io to X (Formerly Twitter) - 4 upvotes, $0
  183. XSS in original referrer after follow to X (Formerly Twitter) - 4 upvotes, $0
  184. [mobile.twitter.com / twitter.com] CSRF protection bypass to X (Formerly Twitter) - 4 upvotes, $0
  185. Sub-Domain Takeover to X (Formerly Twitter) - 4 upvotes, $0
  186. xss in DM group name in twitter to X (Formerly Twitter) - 4 upvotes, $0
  187. Tweetdeck (twitter owned app) not revoked to X (Formerly Twitter) - 4 upvotes, $0
  188. List of a ton of internal twitter servers available on GitHub to X (Formerly Twitter) - 4 upvotes, $0
  189. fabric.io - app member can make himself an admin to X (Formerly Twitter) - 3 upvotes, $1400
  190. Twitter Ads Campaign information disclosure through admin without any authentication. to X (Formerly Twitter) - 3 upvotes, $560
  191. Twitter Card - Parent Window Redirection to X (Formerly Twitter) - 3 upvotes, $560
  192. URGENT - Subdomain Takeover on users.tweetdeck.com , the same issue of report #32825 to X (Formerly Twitter) - 3 upvotes, $420
  193. XSS ON MOPUB.COM to X (Formerly Twitter) - 3 upvotes, $0
  194. uclfinal.twitter.com and euro2012.twitter.com are vulnerable to CRIME attack to X (Formerly Twitter) - 3 upvotes, $0
  195. Password reset link not validated. to X (Formerly Twitter) - 3 upvotes, $0
  196. Headers Missing to X (Formerly Twitter) - 3 upvotes, $0
  197. Account Deleted without any confirmation to X (Formerly Twitter) - 3 upvotes, $0
  198. Flaw in login with twitter to steal Oauth tokens to X (Formerly Twitter) - 3 upvotes, $0
  199. User's DM won't deleted after logout from Twitter for iOS (com.atebits.xxx.application-state) to X (Formerly Twitter) - 3 upvotes, $0
  200. Redirect URL in /intent/ functionality is not properly escaped to X (Formerly Twitter) - 3 upvotes, $0
  201. getting emails of users/removing them from victims account [using typical attack] to X (Formerly Twitter) - 3 upvotes, $0
  202. Singup Page HTML Injection Vulnerability to X (Formerly Twitter) - 3 upvotes, $0
  203. Cross site Port Scanning bug in twitter developers console to X (Formerly Twitter) - 3 upvotes, $0
  204. Can see private tweets via keyword searches on tweetdeck to X (Formerly Twitter) - 3 upvotes, $0
  205. Full Path Disclosure at 27.prd.vine.co to X (Formerly Twitter) - 3 upvotes, $0
  206. DOM Cross-Site Scripting ( XSS ) to X (Formerly Twitter) - 2 upvotes, $1400
  207. XSS platform.twitter.com to X (Formerly Twitter) - 2 upvotes, $1120
  208. Fabric.io - an app admin can delete team members from other user apps to X (Formerly Twitter) - 2 upvotes, $1120
  209. Unauthorized Tweeting on behalf of Account Owners to X (Formerly Twitter) - 2 upvotes, $420
  210. Open redirection in fabric.io to X (Formerly Twitter) - 2 upvotes, $280
  211. Cookie not marked as secure. to X (Formerly Twitter) - 2 upvotes, $0
  212. Stored xss to X (Formerly Twitter) - 2 upvotes, $0
  213. Token remains alive ever after logging out! to X (Formerly Twitter) - 2 upvotes, $0
  214. ads.twitter.com xss to X (Formerly Twitter) - 2 upvotes, $0
  215. Creating Unauthorized Audience Lists to X (Formerly Twitter) - 2 upvotes, $0
  216. Flaw in valid password policy. to X (Formerly Twitter) - 2 upvotes, $0
  217. XSS in fabric.io to X (Formerly Twitter) - 2 upvotes, $0
  218. Option Method Enabled on web server to X (Formerly Twitter) - 2 upvotes, $0
  219. Abuse of "Remember Me" functionality. to X (Formerly Twitter) - 2 upvotes, $0
  220. Homograph attack. to X (Formerly Twitter) - 2 upvotes, $0
  221. URGENT - SUBDOMAIN TAKEOVER ON TWITTER ACQ. to X (Formerly Twitter) - 2 upvotes, $0
  222. [Stored XSS] vine.co - profile page to X (Formerly Twitter) - 2 upvotes, $0
  223. iOS App can establish Facetime calls without user's permission to X (Formerly Twitter) - 2 upvotes, $0
  224. Privecy Issue : view "Protected users" followers and following to X (Formerly Twitter) - 2 upvotes, $0
  225. OS Command Execution on User's PC via CSV Injection to X (Formerly Twitter) - 2 upvotes, $0
  226. Global defaming of any twitter user to X (Formerly Twitter) - 2 upvotes, $0
  227. XSS platform.twitter.com | video-js metadata to X (Formerly Twitter) - 1 upvotes, $1120
  228. open redirect sends authenticity_token to any website or (ip address) to X (Formerly Twitter) - 1 upvotes, $560
  229. Following a User Actually Follows Another User to X (Formerly Twitter) - 1 upvotes, $280
  230. Following a User After Favoriting Actually Follows Another User (related to #95243) to X (Formerly Twitter) - 1 upvotes, $280
  231. Full path disclosure at ads.twitter.com to X (Formerly Twitter) - 1 upvotes, $140
  232. POODLE Bug: 199.16.156.44, 199.16.156.108, mx4.twitter.com to X (Formerly Twitter) - 1 upvotes, $140
  233. XSS vulnerability in video player page to X (Formerly Twitter) - 1 upvotes, $0
  234. password sent over HTTP to X (Formerly Twitter) - 1 upvotes, $0
  235. CSRF in crashlytics.com to X (Formerly Twitter) - 1 upvotes, $0
  236. Captcha bypass with extension at http://www.mopub.com/about/contact/ to X (Formerly Twitter) - 1 upvotes, $0
  237. Twitter Flight SSL 2.0 deprecated protocol vulnerability. to X (Formerly Twitter) - 1 upvotes, $0
  238. Missing Rate Limiting on https://twitter.com/account/complete to X (Formerly Twitter) - 1 upvotes, $0
  239. BROKEN AUTHENTICATION IN MOBILE VERIFICATION to X (Formerly Twitter) - 1 upvotes, $0
  240. Options Method Enabled to X (Formerly Twitter) - 1 upvotes, $0
  241. No rate limiting on creating lists to X (Formerly Twitter) - 1 upvotes, $0
  242. Path disclosure in platform0.twitter.com to X (Formerly Twitter) - 1 upvotes, $0
  243. twitter android app Fragment Injection to X (Formerly Twitter) - 1 upvotes, $0
  244. Privacy Issue on protected tweets to X (Formerly Twitter) - 1 upvotes, $0
  245. Bad extended ascii handling in HTTP 301 redirects of t.co to X (Formerly Twitter) - 1 upvotes, $0
  246. Subdomain Expired to X (Formerly Twitter) - 1 upvotes, $0
  247. Opportunity to post hidden comments to X (Formerly Twitter) - 1 upvotes, $0
  248. HTML form without CSRF protection at http://try.crashlytics.com/enterprise/ to X (Formerly Twitter) - 0 upvotes, $0